\usepackage[utf8]{inputenc}
\usepackage{listings}
+\usepackage{tikz}
+
+\usetikzlibrary{positioning,intersections,backgrounds,calc,shadings,shapes.arrows,shapes.symbols,shadows}
+\usepgflibrary{shapes.geometric}
+\usepgflibrary{shapes.misc}
+\usepgflibrary{shapes.symbols}
+\usepgflibrary{shapes}
+\usetikzlibrary{shapes,decorations,shadows}
+\usetikzlibrary{decorations.pathmorphing}
+\usetikzlibrary{decorations.shapes}
+\usetikzlibrary{decorations.text}
+\usetikzlibrary{fadings}
+\usetikzlibrary{patterns}
+\usetikzlibrary{calc}
+\tikzstyle{netdb}=[anchor=center,color=black,rectangle,draw,minimum
+size=.6em,minimum height=.2em]
+\tikzstyle{client}=[fill=i4gray,rectangle,draw]
+\tikzstyle{chain}=[rectangle,draw,minimum size=1em,minimum height=.5em]
+\tikzstyle{arrow}=[->,thick,draw,shorten <=2pt,shorten >=2pt,]
+\tikzstyle{tunnel}=[fill=gray,shape=ellipse,minimum size=4em,minimum height=1.1em]
+
\usetheme{CambridgeUS}
\usefonttheme{structuresmallcapsserif}
\title{DNSSEC}
\author{Christoph Egger}
-\institute[Debian]{The Debian Project}
-\date{}
+%\institute[Debian]{The Debian Project}
+\date{\today}
\usebackgroundtemplate{\includegraphics[width=\paperwidth]{images/swirl-lightest}}
\logo{\includegraphics[viewport=274 335 360 440,width=1cm]{images/openlogo-nd.pdf}}
\setbeamercolor{palette sidebar quaternary}{fg=debianred}
\setbeamercolor{block title}{fg=debianblue}
- \setbeamercolor{description item}{fg=debianblue}
+\setbeamercolor{description item}{fg=debianblue}
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% http://www.texample.net/media/tikz/examples/TEX/network-topology.tex %
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\makeatletter
+\pgfkeys{/pgf/.cd,
+ parallelepiped offset x/.initial=2mm,
+ parallelepiped offset y/.initial=2mm
+}
+\pgfdeclareshape{parallelepiped}
+{
+ \inheritsavedanchors[from=rectangle] % this is nearly a rectangle
+ \inheritanchorborder[from=rectangle]
+ \inheritanchor[from=rectangle]{north}
+ \inheritanchor[from=rectangle]{north west}
+ \inheritanchor[from=rectangle]{north east}
+ \inheritanchor[from=rectangle]{center}
+ \inheritanchor[from=rectangle]{west}
+ \inheritanchor[from=rectangle]{east}
+ \inheritanchor[from=rectangle]{mid}
+ \inheritanchor[from=rectangle]{mid west}
+ \inheritanchor[from=rectangle]{mid east}
+ \inheritanchor[from=rectangle]{base}
+ \inheritanchor[from=rectangle]{base west}
+ \inheritanchor[from=rectangle]{base east}
+ \inheritanchor[from=rectangle]{south}
+ \inheritanchor[from=rectangle]{south west}
+ \inheritanchor[from=rectangle]{south east}
+ \backgroundpath{
+ % store lower right in xa/ya and upper right in xb/yb
+ \southwest \pgf@xa=\pgf@x \pgf@ya=\pgf@y
+ \northeast \pgf@xb=\pgf@x \pgf@yb=\pgf@y
+ \pgfmathsetlength\pgfutil@tempdima{\pgfkeysvalueof{/pgf/parallelepiped
+ offset x}}
+ \pgfmathsetlength\pgfutil@tempdimb{\pgfkeysvalueof{/pgf/parallelepiped
+ offset y}}
+ \def\ppd@offset{\pgfpoint{\pgfutil@tempdima}{\pgfutil@tempdimb}}
+ \pgfpathmoveto{\pgfqpoint{\pgf@xa}{\pgf@ya}}
+ \pgfpathlineto{\pgfqpoint{\pgf@xb}{\pgf@ya}}
+ \pgfpathlineto{\pgfqpoint{\pgf@xb}{\pgf@yb}}
+ \pgfpathlineto{\pgfqpoint{\pgf@xa}{\pgf@yb}}
+ \pgfpathclose
+ \pgfpathmoveto{\pgfqpoint{\pgf@xb}{\pgf@ya}}
+ \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb}{\pgf@ya}}{\ppd@offset}}
+ \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb}{\pgf@yb}}{\ppd@offset}}
+ \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xa}{\pgf@yb}}{\ppd@offset}}
+ \pgfpathlineto{\pgfqpoint{\pgf@xa}{\pgf@yb}}
+ \pgfpathmoveto{\pgfqpoint{\pgf@xb}{\pgf@yb}}
+ \pgfpathlineto{\pgfpointadd{\pgfpoint{\pgf@xb}{\pgf@yb}}{\ppd@offset}}
+ }
+}
+\makeatother
+
+\tikzset{l3 switch/.style={
+ parallelepiped,fill=switch, draw=white,
+ minimum width=0.75cm,
+ minimum height=0.75cm,
+ parallelepiped offset x=1.75mm,
+ parallelepiped offset y=1.25mm,
+ path picture={
+ \node[fill=white,
+ circle,
+ minimum size=6pt,
+ inner sep=0pt,
+ append after command={
+ \pgfextra{
+ \foreach \angle in {0,45,...,360}
+ \draw[-latex,fill=white] (\tikzlastnode.\angle)--++(\angle:2.25mm);
+ }
+ }
+ ]
+ at ([xshift=-0.75mm,yshift=-0.5mm]path picture bounding box.center){};
+ }
+ },
+ ports/.style={
+ line width=0.3pt,
+ top color=gray!20,
+ bottom color=gray!80
+ },
+ rack switch/.style={
+ parallelepiped,fill=white, draw,
+ minimum width=1.25cm,
+ minimum height=0.25cm,
+ parallelepiped offset x=2mm,
+ parallelepiped offset y=1.25mm,
+ xscale=-1,
+ path picture={
+ \draw[top color=gray!5,bottom color=gray!40]
+ (path picture bounding box.south west) rectangle
+ (path picture bounding box.north east);
+ \coordinate (A-west) at ([xshift=-0.2cm]path picture bounding box.west);
+ \coordinate (A-center) at ($(path picture bounding box.center)!0!(path
+ picture bounding box.south)$);
+ \foreach \x in {0.275,0.525,0.775}{
+ \draw[ports]([yshift=-0.05cm]$(A-west)!\x!(A-center)$)
+ rectangle +(0.1,0.05);
+ \draw[ports]([yshift=-0.125cm]$(A-west)!\x!(A-center)$)
+ rectangle +(0.1,0.05);
+ }
+ \coordinate (A-east) at (path picture bounding box.east);
+ \foreach \x in {0.085,0.21,0.335,0.455,0.635,0.755,0.875,1}{
+ \draw[ports]([yshift=-0.1125cm]$(A-east)!\x!(A-center)$)
+ rectangle +(0.05,0.1);
+ }
+ }
+ },
+ server/.style={
+ parallelepiped,
+ fill=white, draw,
+ minimum width=0.35cm,
+ minimum height=0.75cm,
+ parallelepiped offset x=3mm,
+ parallelepiped offset y=2mm,
+ xscale=-1,
+ path picture={
+ \draw[top color=gray!5,bottom color=gray!40]
+ (path picture bounding box.south west) rectangle
+ (path picture bounding box.north east);
+ \coordinate (A-center) at ($(path picture bounding box.center)!0!(path
+ picture bounding box.south)$);
+ \coordinate (A-west) at ([xshift=-0.575cm]path picture bounding box.west);
+ \draw[ports]([yshift=0.1cm]$(A-west)!0!(A-center)$)
+ rectangle +(0.2,0.065);
+ \draw[ports]([yshift=0.01cm]$(A-west)!0.085!(A-center)$)
+ rectangle +(0.15,0.05);
+ \fill[black]([yshift=-0.35cm]$(A-west)!-0.1!(A-center)$)
+ rectangle +(0.235,0.0175);
+ \fill[black]([yshift=-0.385cm]$(A-west)!-0.1!(A-center)$)
+ rectangle +(0.235,0.0175);
+ \fill[black]([yshift=-0.42cm]$(A-west)!-0.1!(A-center)$)
+ rectangle +(0.235,0.0175);
+ }
+ },
+}
+
+\usetikzlibrary{calc, shadings, shadows, shapes.arrows}
+
+% Styles for interfaces and edge labels
+\tikzset{%
+ interface/.style={draw, rectangle, rounded corners, font=\LARGE\sffamily},
+ ethernet/.style={interface, fill=yellow!50},% ethernet interface
+ serial/.style={interface, fill=green!70},% serial interface
+ speed/.style={sloped, anchor=south, font=\large\sffamily},% line speed at edge
+ route/.style={draw, shape=single arrow, single arrow head extend=4mm,
+ minimum height=1.7cm, minimum width=3mm, white, fill=switch!20,
+ drop shadow={opacity=.8, fill=switch}, font=\tiny}% inroute/outroute arrows
+}
+\newcommand*{\shift}{1.3cm}% For placing the arrows later
+
+% The router icon
+\newcommand*{\router}[1]{
+\begin{tikzpicture}
+ \coordinate (ll) at (-3,0.5);
+ \coordinate (lr) at (3,0.5);
+ \coordinate (ul) at (-3,2);
+ \coordinate (ur) at (3,2);
+ \shade [shading angle=90, left color=switch, right color=white] (ll)
+ arc (-180:-60:3cm and .75cm) -- +(0,1.5) arc (-60:-180:3cm and .75cm)
+ -- cycle;
+ \shade [shading angle=270, right color=switch, left color=white!50] (lr)
+ arc (0:-60:3cm and .75cm) -- +(0,1.5) arc (-60:0:3cm and .75cm) -- cycle;
+ \draw [thick] (ll) arc (-180:0:3cm and .75cm)
+ -- (ur) arc (0:-180:3cm and .75cm) -- cycle;
+ \draw [thick, shade, upper left=switch, lower left=switch,
+ upper right=switch, lower right=white] (ul)
+ arc (-180:180:3cm and .75cm);
+ \node at (0,0.5){\color{blue!60!black}\Huge #1};% The name of the router
+ % The four arrows, symbols for incoming and outgoing routes:
+ \begin{scope}[yshift=2cm, yscale=0.28, transform shape]
+ \node[route, rotate=45, xshift=\shift] {\strut};
+ \node[route, rotate=-45, xshift=-\shift] {\strut};
+ \node[route, rotate=-135, xshift=\shift] {\strut};
+ \node[route, rotate=135, xshift=-\shift] {\strut};
+ \end{scope}
+\end{tikzpicture}}
+
+\makeatletter
+\pgfdeclareradialshading[tikz@ball]{cloud}{\pgfpoint{-0.275cm}{0.4cm}}{%
+ color(0cm)=(tikz@ball!75!white);
+ color(0.1cm)=(tikz@ball!85!white);
+ color(0.2cm)=(tikz@ball!95!white);
+ color(0.7cm)=(tikz@ball!89!black);
+ color(1cm)=(tikz@ball!75!black)
+}
+\tikzoption{cloud color}{\pgfutil@colorlet{tikz@ball}{#1}%
+ \def\tikz@shading{cloud}\tikz@addmode{\tikz@mode@shadetrue}}
+\makeatother
+
+\tikzset{my cloud/.style={
+ cloud, draw, aspect=2,
+ cloud color={gray!5!white}
+ }
+}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{document}
\titlepage
}
+\section{Einführung}
+
+\begin{frame}
+ \begin{block}{Wikipedia}
+ The Domain Name System Security Extensions (DNSSEC) is a suite of
+ Internet Engineering Task Force (IETF) specifications for securing
+ certain kinds of information provided by the Domain Name System
+ (DNS) as used on Internet Protocol (IP) networks. It is a set of
+ extensions to DNS which provide to DNS clients (resolvers) origin
+ authentication of DNS data, authenticated denial of existence, and
+ data integrity, but not availability or confidentiality.
+ \end{block}
+\end{frame}
+
+\begin{frame}
+ \frametitle{DNS Anfrage}
+ \begin{figure}
+ \centering
+ \begin{tikzpicture}
+ \begin{scope}[yshift=-5em, xshift=-5em]
+ \node[scale=1.5, server,debianblue](Client){};
+ \node[scale=1.5, server, left of=Client, xshift=-.75em](Gateway){};
+ \node[scale=1.5, server, left of=Gateway, xshift=-2em](ISP){};
+
+ \draw[thick,darkgray!10!gray] (Client.west)--(Gateway.east);
+ \draw[thick,darkgray!10!gray] (Gateway.west)--(ISP);
+ \end{scope}
+
+ \begin{scope}[xshift=15em, yshift=5em]
+ \node[thick, draw=darkgray, dotted, minimum width=12em, minimum
+ height=9em, xshift=-3.5em, yshift=-.5em] (siccegge) {};
+ \node[scale=1.2, server,debianblue](Master){};
+ \node[scale=1.2, server, right of=Master, yshift= 1.5em, xshift=1em](Slave 1){};
+ \node[scale=1.2, server, right of=Master, yshift=-1.5em, xshift=1em](Slave 2){};
+
+ \draw[thick,darkgray!10!gray] (Master.east)--(Slave 1);
+ \draw[thick,darkgray!10!gray] (Master.east)--(Slave 2);
+ \end{scope}
+
+ \begin{scope}[yshift=5em]
+ \node[thick, draw=darkgray, dotted, minimum width=12em, minimum
+ height=9em, xshift=-3.5em, yshift=-.5em] (de) {};
+ \node[scale=1.2, server,debianblue](Sub Master){};
+ \node[scale=1.2, server, right of=Sub Master, yshift= 1.5em,
+ xshift=1em](Sub Slave 1){};
+ \node[scale=1.2, server, right of=Sub Master, yshift=-1.5em,
+ xshift=1em](Sub Slave 2){};
+
+ \draw[thick,darkgray!10!gray] (Sub Master.east)--(Sub Slave 1);
+ \draw[thick,darkgray!10!gray] (Sub Master.east)--(Sub Slave 2);
+ \end{scope}
+
+ \draw[thick,darkgray!10!gray,dotted] (ISP.north)--(Sub Slave 2.south);
+ \draw[thick,darkgray!10!gray,dotted] (ISP.north)--(Slave 2.south);
+
+ \node[darkgray,above=.7em of Client.north,font=\LARGE] {Client};
+ \node[darkgray,below=0 of Gateway.south,font=\LARGE] {Heimrouter};
+ \node[darkgray,below=0 of ISP.south,font=\LARGE] {ISP};
+
+ \node[darkgray,below=0 of Master.south,font=\LARGE] {Master};
+ \node[darkgray,below=0 of Slave 2.south,font=\LARGE] {Slaves};
+ \node[darkgray,below=0 of Sub Master.south,font=\LARGE] {Master};
+ \node[darkgray,below=0 of Sub Slave 2.south,font=\LARGE] {Slaves};
+ \node[darkgray, above=0 of de, font=\LARGE]{.de};
+ \node[darkgray, above=0 of siccegge, font=\LARGE]{.siccegge.de};
+ \end{tikzpicture}
+ \end{figure}
+\end{frame}
+
+\section{Signaturen}
+
+% \begin{frame}
+% \frametitle{ZSK, KSK}
+% \begin{itemize}
+% \item \texttt[KSK] ``KeySigningKey'' -- wird in der übergeordneten
+% Zone referenziert und signiert alle Schlüssel \emph{in} der Zone
+% \pause
+% \item \texttt[ZSK] ``ZoneSigningKey'' -- wird durch den \texttt{KSK}
+% authorisiert und signiert weitere Einträge
+% \pause\bigskip
+% \item Normalerweise gibt es \emph{einen} KSK und \emph{zwei} ZSKs in
+% einer Zone
+% \end{itemize}
+% \end{frame}
+
+\begin{frame}
+ \begin{description}
+ \item[KSK] ``KeySigningKey'' -- wird in der übergeordneten
+ Zone referenziert und signiert alle Schlüssel \emph{in} der Zone
+ \item[ZSK] ``ZoneSigningKey'' -- wird durch den \texttt{KSK}
+ authorisiert und signiert weitere Einträge
+ \end{description}
+ \begin{figure}
+ \centering
+ \begin{tikzpicture}[scale=1.2]
+ \tikzstyle{every node}=[font=\small]
+ \node[minimum width=8em,minimum height=12em,draw=gray](dezone) at (0,0) {};
+ \node[below=2em of dezone.south] {de. Zone};
+ \node[minimum width=8em,minimum height=12em,draw=gray](rootzone) at (-9em,0) {};
+ \node[below=2em of rootzone.south] {. Zone};
+ \node[minimum width=8em,minimum height=12em,draw=gray](sicceggezone) at (9em,0) {};
+ \node[below=2em of sicceggezone.south] {siccegge.de. Zone};
+
+ \node[ellipse,draw=debianred](rootksk) at (-9em,3em) {KSK};
+ \node[ellipse,draw=debianblue](rootzsk) at (-9em,0em) {ZSK};
+ \node[ellipse,draw=black](rootds) at (-9em,-3em) {DS};
+
+ \node[ellipse,draw=debianred](deksk) at (0em,3em) {KSK};
+ \node[ellipse,draw=debianblue](dezsk) at (0em,0em) {ZSK};
+ \node[ellipse,draw=black](deds) at (0em,-3em) {DS};
+
+ \node[ellipse,draw=debianred](sicceggeksk) at (9em,3em) {KSK};
+ \node[ellipse,draw=debianblue](sicceggezsk) at (9em,0em) {ZSK};
+ \node[ellipse,draw=black](arecord) at (6.5em,-2em) {\tiny{A}};
+ \node[ellipse,draw=black](aaaarecord) at (8em,-3em) {\tiny{AAAA}};
+ \node[ellipse,draw=black](sshfprecord) at (10.5em,-4em) {\tiny{SSHFP}};
+
+ \draw[arrow,draw=black] (rootds.south) |- ++(0,-2em) -| ([xshift=1em]rootzone.east)
+ |- ([xshift=4.5em,yshift=1em]rootzone.north) -| (deksk.north);
+ \draw[arrow,draw=black] (deds.south) |- ++(0,-2em) -| ([xshift=1em]dezone.east)
+ |- ([xshift=4.5em,yshift=1em]dezone.north) -| (sicceggeksk.north);
+
+ \draw[arrow,draw=debianred] (rootksk.south) -- (rootzsk.north);
+ \draw[arrow,draw=debianred] (deksk.south) -- (dezsk.north);
+ \draw[arrow,draw=debianred] (sicceggeksk.south) -- (sicceggezsk.north);
+
+ \draw[arrow,draw=debianblue] (rootzsk) -- (rootds);
+ \draw[arrow,draw=debianblue] (dezsk) -- (deds);
+ \draw[arrow,draw=debianblue] (sicceggezsk) -- (arecord);
+ \draw[arrow,draw=debianblue] (sicceggezsk) -- (aaaarecord);
+ \draw[arrow,draw=debianblue] (sicceggezsk) -- (sshfprecord);
+ \end{tikzpicture}
+ \end{figure}
+\end{frame}
+
+\begin{frame}
+ \frametitle{RRSIG}
+ \begin{block}{siccegge.de}\resizebox{\textwidth}{!}{\texttt{
+ \begin{tabular}{llll}
+siccegge.de. & IN & A & 62.113.200.104\\
+siccegge.de. & IN & RRSIG & A 8 2 43200 20140908181927 20140809171927 60018 siccegge.de.\\
+ &
+ \multicolumn{3}{l}{zldkAFJKKV4/gkmZ8DZkV7AT6nIt4mLXjClJwSnGqvrlBWEzc9h3knLMa9iJeEh01ZEZcWi+JRD/vVVNqBg4P1}\\
+ & \multicolumn{3}{l}{vCGsiPDvzBvO+gq0wtxPPpouNZA9r9h9in4sB3Vw/6HpMcqp843mB+B5SGQZkALDsVCcoY4J0/rPWPXYGHQkA=}\\
+\end{tabular}}}
+ \end{block}
+\end{frame}
+
+\begin{frame}
+ \frametitle{Schlüsseltausch}
+ \begin{block}{Idee}
+ Wechsle die Schlüssel regelmäßig. Damit lassen sich auch kleine,
+ effizientere Schlüssel verwenden (DNS verwendet UDP!). Auch in
+ Sachen ``Revocation'' nützlich
+ \end{block}
+ \bigskip\pause
+ Schlüssel wechseln in DNS ist nicht so einfach: \pause Stichpunkt
+ \texttt{TTL}
+ \bigskip\pause
+
+ 2 Methoden:
+ \begin{itemize}
+ \item Neuen Schlüssel vor der Verwendung veröffentlichen
+ \item Vorübergehend die Daten mit beiden Schlüsseln signieren
+ \end{itemize}
+\end{frame}
+
+\section{NSEC und NSEC3}
+\begin{frame}
+ \frametitle{Negative antworten}
+
+ \begin{block}{Problem}
+ Mit den \texttt{RRSIG}s lassen sich bestehende Einträge im DNS
+ bestätigen. Es ist aber immer noch möglich, Einträge
+ ``verschwinden'' zu lassen. Was also noch fehlt ist die
+ Möglichkeit, die nicht-Existenz von Einträgen zu signieren.
+ \end{block}
+\end{frame}
+
+%TODO Why
+\begin{frame}<1>[label=nsec]
+ \frametitle{NSEC (Next SECure)}
+ \begin{itemize}
+ \item<1-> Bilde einen Kreis, der alle vorhandenen Einträge umfasst
+ \item<2-> Speichere signierte Feststellung, dass zwischen zwei Namen
+ kein dritter liegt
+ \item<2-> Bei negativer Antwort (\texttt{NXDOMAIN}) sende auch den
+ signierten \texttt{NSEC} Eintrag in dessen Interval die Antwort
+ liegen würde\pause\bigskip
+ \item<3> ``Zonewalking'' auflistung aller Einträge in einer Zone
+ \end{itemize}
+\end{frame}
+
+\begin{frame}<-3>[label=ring]
+ \begin{figure}
+ \centering
+ \begin{tikzpicture}[scale=0.9]
+ \onslide<3>{
+ \fill[debianred!10] (165:17mm) arc (165:215:17mm) -- (215:27mm)
+ arc (215:165:27mm) -- cycle;
+
+ \path[decoration = {text along path, text = {NSEC},
+ text align = {align = center}, raise = -0.5ex}, decorate]
+ (201:29mm) arc (201:155:29mm);
+ }
+
+ \onslide<6>{
+ \fill[debianred!10] (110:17mm) arc (110:165:17mm) -- (165:27mm)
+ arc (165:110:27mm) -- cycle;
+
+ \path[decoration = {text along path, text = {NSEC3},
+ text align = {align = center}, raise = -0.5ex}, decorate]
+ (180:14mm) arc (180:123:14mm);
+ }
+
+ \foreach \sector/\sectorlabel/\hash/\hashlabel in {%
+ 0/backup/evj1\dots/www,
+ 1/git/imua\dots/git,
+ 2/keyserver/mk9e\dots/wot,
+ 3/wot/nq8c\dots/backup,
+ 4/www/uv8c\dots/annex,
+ 5/annex/5kau\dots/keyserver}%
+ {
+ \node[font=\bfseries](node\sector) at ({60 * (-\sector - .5)}: 22mm) {\alt<-4>{\sectorlabel}{\hash}};
+
+ \draw[->, >=latex] ({60 * (-\sector - .5)-10}:22mm)
+ arc ({60 * (-\sector - .5) - 10}:{60 * (-\sector-1)- 10}:22mm);
+
+ \onslide<5->{
+ \node[font=\bfseries, circle, fill=debianblue!50, text=darkgray](hash\sector) at ({60 * (-\sector -
+ .5) + 15}:38mm) {H};
+
+ \node[font=\bfseries](orig\sector) at ({60 * (-\sector -
+ .5) + 30}: 50mm) {\hashlabel};
+ \draw[arrow, draw=darkgray] (hash\sector) -- (node\sector);)
+ \draw[arrow, draw=darkgray] (orig\sector) -- (hash\sector);)
+ }
+ }
+ \onslide<2->{
+ \node[font=\bfseries, left=8em of node3](null) {null};
+ }
+ \onslide<2-3>{
+ \draw[arrow] (null.east) -- ([yshift=3em]node2.west);
+ }
+ \onslide<5->{
+ \node[font=\bfseries, circle, fill=debianblue!50, above=3em
+ of null.north, xshift=2em, text=darkgray] (H) {H};
+ \draw[arrow, draw=darkgray] (null) -- (H);
+ \draw[arrow] (H) to node[above,font=\bfseries]{qfna\dots} ([yshift=1.5em]node3.north);
+ }
+ \end{tikzpicture}
+ \end{figure}
+\end{frame}
+
+\againframe<2->{nsec}
+
+\begin{frame}<1>[label=nsec3]
+ \frametitle{NSEC3}
+
+ \begin{itemize}
+ \item Statt Einträge in einem Ring anzuordnen, bilde zuerst eine
+ kryptographische Streusumme \pause
+ \item Verwende Salz und mehrere Runden der Streufunktion für
+ maximalen Effekt.
+ \end{itemize}\bigskip
+ \begin{block}{git.siccegge.de}\resizebox{\textwidth}{!}{\texttt{
+ \begin{tabular}{llll}
+siccegge.de. & IN & NSEC3PARAM & 1 0 5 6D1DAF17E2A6A252
+\end{tabular}}}
+ \end{block}
+\end{frame}
+
+\againframe<4->{ring}
+
+\againframe<2->{nsec3}
+
+\begin{frame}
+ \frametitle{Überprüfung negativer Antworten}
+ \begin{block}{Ziel}
+ Es ist trivial, in der \texttt{de}-Zone zu zeigen, dass dort
+ \texttt{www.siccegge.de} nicht existiert -- obwohl der name
+ durchaus vorhanden ist (allerdings nicht in der \texttt{de}-Zone
+ sondern in der \texttt{siccegge.de}-Zone). Wir müssen also auch
+ zeigen, dass wir in der ``richtigen'' Zone operieren.
+ \end{block}\pause
+ \begin{block}{``Closest Encloser''}
+ Daher 3 \texttt{NSEC3}-Einträge:
+ \begin{itemize}
+ \item Für die kürzeste, nicht mehr existente Oberdomäne zur
+ Anfrage, den \texttt{NSEC3}-Eintrag, der das Intervall überspannt.
+ \item Den um eine Komponente gekürzten \texttt{NSEC3}-Eintrag, der
+ entweder \emph{keinen} \texttt{NS}-Eintrag oder auch das Flag
+ für \texttt{SOA} enthält.\pause
+ \item Den \texttt{NSEC3}-Eintrag, der das Fehlen eines
+ Wildcard-Eintrags an dieser Stelle nachweist.
+ \end{itemize}
+ \end{block}
+\end{frame}
+
+\begin{frame}
+ \frametitle{Negative Antwort}
+ \begin{block}{siccegge.de hat SOA}\resizebox{\textwidth}{!}{\texttt{
+ \begin{tabular}{rl}
+ 4ma0fb5t2s6kjtgc6r3qi4o49bn7pc4i.siccegge.de. & 3573 IN NSEC3 1 0 5 6D1DAF17E2A6A252 \\
+ 4TRVQLKF545FSK90ED6NCJ7DGMOJB6I8 & A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM \\
+ \end{tabular}}}
+ \end{block}
+ \texttt{null.siccegge.de} hat den Hash-Wert \texttt{qfna56rlmnlbp3e85m4d6ckonnmpfg1i}
+ \begin{block}{null.siccegge.de existiert nicht}\resizebox{\textwidth}{!}{\texttt{
+ \begin{tabular}{rl}
+ qd2uevk27c2tdrh6535e0mkiratu1t5h.siccegge.de. & 3600 IN NSEC3 1 0 5 6D1DAF17E2A6A252 \\
+ QLLMC1NCRMN4AU8QCFQ24VAH7JFM6LQ6 & \\
+ \end{tabular}}}
+ \end{block}
+ \texttt{*.siccegge.de} hat den Hash-Wert \texttt{68m2atv9712l3e67oua61u5hp0v0273a.}
+ \begin{block}{*.siccegge.de existiert nicht }\resizebox{\textwidth}{!}{\texttt{
+ \begin{tabular}{rl}
+ 63r09adu0p1vdmkif5eb4dr6m2a3l5cp.siccegge.de. & 3600 IN NSEC3 1 0 5 6D1DAF17E2A6A252 \\
+ 6BJ555D3Q50SL34D50L1PGU887R73DC9 & RRSIG TLSA \\
+ \end{tabular}}}
+ \end{block}
+\end{frame}
+
+\section{Zusatznutzen}
+\begin{frame}{DANE}
+ Nachdem unser DNS jetzt kryptographisch abgesichert ist (auch nicht
+ schlechter als das CA System) kann man dort jetzt sicher weiteres
+ Schlüsselmaterial ausliefern:
+ \begin{itemize}
+ \item TLSA für alles was SSL/TLS macht
+ \item SSHFP für SSH Fingerprints
+ \item PGP-Schlüssel-Enträge
+ \item \dots
+ \end{itemize}
+\end{frame}
+
+\begin{frame}
+ \frametitle{TLSA}
+ \begin{block}{TLSA}\resizebox{\textwidth}{!}{\texttt{
+ \begin{tabular}{llll}
+\_25.\_tcp.oteiza.siccegge.de. & IN & TLSA & 3 1 1
+101B5B5CCDC5568CEC385552611FD0355BF15DB293E96F46E29DE4A0C4B2BC3F \\
+\_443.\_tcp.siccegge.de. & IN & TLSA & 3 1 1
+62BEBD9F2E77CF26A4006A50F69FC3891BF7BEDDAEF8AC96E57C1D9BA2AB1F73 \\
+\_5222.\_tcp.xmpp.egger.im & IN & TLSA & 3 1 1 9c93fab0d88c911592dedfa7f9385aeee228b0c6d526813ad1182c983677736b
+\end{tabular}}}
+ \end{block}
+ \bigskip\pause
+ Achtung! Beim Schlüsseltausch gibt's wieder Spass.
+ \bigskip\pause
+ \begin{itemize}
+ \item 3: Bezeichnet ein Service Zertifikat
+ \item 1: Angegeben wird der öffentlich Schlüssel, nicht das
+ Zertifikat
+ \item 1: Angegeben wird eine \texttt{SHA256}-Summe
+ \end{itemize}
+\end{frame}
+
+\begin{frame}
+ \frametitle{SSHFP}
+ \begin{block}{git.siccegge.de}\resizebox{\textwidth}{!}{\texttt{
+ \begin{tabular}{lll}
+git.siccegge.de & IN & SSHFP 1 1 0E812EE0A3704230F3C415076E1BAA149A5DC75B\\
+git.siccegge.de & IN & SSHFP 1 2 1CBACAF365040DC1DF841FD07D9186BC343D4AF7DCF689CC8CF4A2F75D7F4B57\\
+git.siccegge.de & IN & SSHFP 3 1 A2D0495E912DA039EEA51A1593F7F74FB919AAD4\\
+git.siccegge.de & IN & SSHFP 3 2 9BF73E3654AA65B847054247F85EFB5C88AB7460840B9C922E647B00696661CF\\
+git.siccegge.de & IN & SSHFP 4 1 2A3EF64AC589193ACFAD783B62E3C193A67F3F46\\
+git.siccegge.de & IN & SSHFP 4 2 880686195D6C1AAA6791F3A3EF4E7B565DCF9F560F2F1BBB93C56EFD5996F335\\
+\end{tabular}}}
+ \end{block}
+ \bigskip\pause
+ \begin{itemize}
+ \item Erste Zahl: Hostkeytyp
+ \item Zweite Zahl: Prüfsummentyp
+ \end{itemize}
+\end{frame}
+
+\section{Software}
+\begin{frame}{Überblick}
+ \begin{block}{Nameserver}
+ Müssen zusätzliche Einträge ausliefern (\texttt{RRSIG},
+ \texttt{NSEC3}). Für \texttt{NSEC3} müssen die richtigen Einträge
+ gefunden wernden
+ \end{block}\pause
+ \begin{block}{Signaturwerkzeuge}
+ \begin{itemize}
+ \item Müssen \texttt{RRSIG}s für die vorhandenen Einträge
+ erstellen und gelegentlich erneuern
+ \item Müssen die \texttt{NSEC3}- und \texttt{NSEC3PARAM}-Einträge
+ erstellen und signieren
+ \item Sollten Möglichkeit zum Schlüsseltausch beiten
+ \end{itemize}
+ \end{block}\pause
+ \begin{block}{Registrar}
+ Irgendwie müssen die Schlüssel in die darüberliegende Zone
+ kommen. Wenige Registrare haben das schon im Interface vorgesehen,
+ etliche lassen sich aber per Mail an den Support überreden
+ \end{block}
+\end{frame}
+
+\begin{frame}{Nameserver}
+ \begin{block}{Software}
+ Alle nennenswerten Nameserver (nsd, bind, powerdns, knot, \dots) können heutzutage DNSSEC ausliefern.
+ \end{block}\pause
+ \begin{block}{Sekundärserver}
+ Kaum ein kostenfreier Sekundärserveranbieter unterstützt DNSSEC --
+ das liegt unter anderem an den deutlich größeren Antworten und dem
+ Rechenbedarf für \texttt{NSEC3}, die signifikant Resourcen
+ verbrauchen.
+
+ $\Rightarrow$ Selber hosten (mit Freunden), beim Registrar schauen
+ oder bezahlen.
+ \end{block}
+\end{frame}
+
+\begin{frame}{Signaturwerkzeuge}
+ Im Grunde gibt es zwei Typen von Signaturwerkzeugen
+ \begin{block}{Im primären Nameserver}
+ BIND, Knot, PowerDNS
+ \begin{description}
+ \item[Vorteile] Keine weiteren Werkzeuge, dynamische Updatesmöglich
+ \item[Nachteile] Schlüsselmaterial im Netzwerkserver, bestehende
+ Implementierungen unflexibel in Sachen Schlüsselrotation
+ \end{description}
+ \end{block}\pause
+ \begin{block}{Separates Signaturwerkzeug}
+ OpenDNSSEC, dnssec-tools, cron
+ \begin{description}
+ \item[Vorteile] Flexibel, Signaturlösung Nameserver-agnostisch
+ \item[Nachteile] Softwarequalität \dots, weiteres Element, das
+ kaputt gehen kann
+ \end{description}
+ \end{block}
+\end{frame}
+
+\begin{frame}{Fragen?}
+ Download: https://static.siccegge.de/talks/dnssec-augsburg-2015-03-28.pdf\\
+ https://git.siccegge.de/?p=talk/dnssec.git
+
+ \vspace*{\fill}
+ \begin{center}
+ \includegraphics[width=7cm]{images/42.pdf}
+ \end{center}
+ \vspace*{\fill}
+\end{frame}
+
\end{document}